Features

net.wars: The cookie monster

Google announced this week that in order to improve user privacy it would cut the length of time its cookies stay on our systems to two years. The clock will start ticking again every time you use Google or a site using a Google application. The company also plans to anonymize its user logs after 18 months.

The company has been under attack lately for its privacy policies. First, a few weeks ago, Privacy International published its report on the privacy practices of key Internet companies, A Race to the Bottom, and Google came last. Not, you understand, that many companies did all that much better.

Privacy International didn't think any company was "privacy-friendly and privacy-enhancing", but it classed several as "generally privacy-aware but in need of improvement". These were: eBay, LiveJournal, the BBC, Wikipedia, and Last.fm. The report excluded travel sites and financial services, on the grounds that these are subject to regulations beyond their control..

You may notice that these sites aren't exactly comparable with Google, to say nothing of other companies included in the survey, such as AOL, Friendster, Microsoft, and Skype. This seems to me a real problem. The BBC, which does not rely on advertising or commercial sales, needs to operate no registration system, and outside its ecommerce sales has no reason to track anybody beyond generating usage statistics to show the patterns of how content is accessed on its site. Skype, on the other hand, can hardly offer a service without retaining user information, call records, and financial data. Practices that Skype must engage in to operate would be shockingly privacy-invasive if adopted by the BBC. More difficult to assess is user privacy on the social networking sites; on a site like Friendster or LiveJournal by publishing the details of their lives and thoughts users may invade their own privacy far more comprehensively than the site itself can.

The sites are also not comparable in terms of how necessary they are.

Hardly anyone really needs AOL. Keeping a blog on LiveJournal is optional; my life proceeds quite happily without Friendster or Facebook. But it's almost impossible these days to look anything up without at least considering looking on Wikipedia, and while there are many VoIP services, peer pressure makes a lot of people sign up for Skype. Therefore, while it's reasonable to compare the companies' corporate behavior, the impact of that behavior is not comparable, nor is the amount of effort and money respecting privacy costs the company.

It's a lot harder for Google to respect privacy and maintain its revenue stream than it is for the BBC.

It's also ironic that eBay should have scored so well. Police forces all over Britain agree that online auction fraud is one of the biggest sources of complaints they have. Google's ability to track everyone's search history, reading habits, and general interests may be, long-term, the worse privacy invasion. But to most people it's worse to be ripped off, and while eBay says it takes fraud seriously, the site is still awash in counterfeit DVDs, and does nothing to warn people with transactions in progress when a user's account is suspended for fraud. Which is worse? Being marketed at and tracked or being ripped off?

Given that so many people are happy to hand over their privacy in return for some money off groceries (loyalty cards) or a truly modest amount of better treatment from their airline, I'd guess most people would think the latter.

But even given all that Google's announcement this week is so trivial that it's insulting.

For one thing, as Google Watch points out, Google assigns your computer a unique ID that persists through rain, snow, IP address change and cookie rewrite. For another, you have no idea when you click on a URL whether a Web site you're about to visit uses a Google service. The point of privacy practices is to give users control; this does anything but that. Why not instead widen the user-configurable preferences to include whether or not to accept cookies and for how long? How hard can that be for all those Google geniuses?

As Privacy International noted, most companies regard individual IP addresses as essentially anonymous, impersonal data – absurd in this time of broadband, when people have the same addresses for years on end. My IP address identifies my computer system more tightly than a library card.

To a large extent, Privacy International blames advertising. As long as content and services are going to be paid for by advertising, sites must track user statistics and supply the data that keeps advertisers happy. There's some justice to that.

But the real problem is the users: who is going to stop using Google because of its privacy policies? You might decide to avoid Gmail, or to delete patiently, one by one, the Usenet postings you crazily typed one night while drunk in 1982, but if you want search, or advertising on your own site… Google is successful as a business because it's made itself indispensable.